On Wed, Sep 4, 2019 at 5:46 AM Nicolas Mailhot via devel
wrote:
>
> Le 2019-09-03 18:52, Kyle Marek a écrit :
>
> > Additionally, binding to a specific address does not handle dynamic
> > networks very well.
>
> Simplify that to binding to a specific address does not handle network
> very well, si
Le 2019-09-03 18:52, Kyle Marek a écrit :
Additionally, binding to a specific address does not handle dynamic
networks very well.
Simplify that to binding to a specific address does not handle network
very well, since everything is dynamic nowadays, on desktops, phones or
servers (servers vi
On 8/31/19 6:45 PM, John Harris wrote:
> On Friday, August 30, 2019 4:33:11 AM MST Björn Persson wrote:
>> John Harris wrote:
>>> Thing is, binding a port and expecting it to be open to every network
>>> interface you've got are two very different things.
>> Once again John Harris is completely wro
On Tue, Sep 3, 2019 at 12:26 AM John Harris wrote:
> There is not a single service in Fedora that is broken by the firewall
> running. You simply have to open the port before it can be accessed from a
> remote system, which is by design. Basic access control, a security feature.
Exactly.
On Sunday, September 1, 2019 4:13:10 AM MST mcatanz...@gnome.org wrote:
> On Sat, Aug 31, 2019 at 6:37 PM, Nico Kadel-Garcia
> wrote:
>
> > If 30 years in DevOps and system security in both large and small
> > networks count for anything, this makes *complete* sense. The
> > distinction between
On 8/28/19 1:01 AM, Adam Williamson wrote:
> On Tue, 2019-08-27 at 15:06 +0200, Jiri Eischmann wrote:
>> mcatanz...@gnome.org píše v Út 27. 08. 2019 v 15:07 +0300:
>>> On Tue, Aug 27, 2019 at 4:22 AM, John Harris
>>> wrote:
No, that is not how this works, at all. First, let's go ahead and
>>>
On 8/27/19 3:25 AM, John Harris wrote:
> On Monday, August 26, 2019 7:25:27 AM MST Iñaki Ucar wrote:
>> On Mon, 26 Aug 2019 at 15:25, Robert Marcano
>> wrote:
>>>
>>>
>>> On 8/26/19 9:07 AM, mcatanz...@gnome.org wrote:
>>>
Well the thing is, blocknig ports tends to break application
On Sun, Sep 1, 2019 at 7:16 AM wrote:
>
> On Sat, Aug 31, 2019 at 6:37 PM, Nico Kadel-Garcia
> wrote:
> > If 30 years in DevOps and system security in both large and small
> > networks count for anything, this makes *complete* sense. The
> > distinction between a "Workstation" deployment and a "S
On Sat, Aug 31, 2019 at 6:37 PM, Nico Kadel-Garcia
wrote:
If 30 years in DevOps and system security in both large and small
networks count for anything, this makes *complete* sense. The
distinction between a "Workstation" deployment and a "Server" or
"Everything" deployment should not include le
On Sat, Aug 31, 2019 at 7:04 PM John Harris wrote:
>
> On Friday, August 30, 2019 5:16:25 AM MST Nico Kadel-Garcia wrote:
> > > On Aug 29, 2019, at 9:41 PM, John Harris wrote:
> > >
> > >
> > >> On Thursday, August 29, 2019 8:12:22 AM MST Dan Book wrote:
> > >> I would agree, but people do instal
On Friday, August 30, 2019 5:16:25 AM MST Nico Kadel-Garcia wrote:
> > On Aug 29, 2019, at 9:41 PM, John Harris wrote:
> >
> >
> >> On Thursday, August 29, 2019 8:12:22 AM MST Dan Book wrote:
> >> I would agree, but people do install multiple desktops after installing
> >> a
> >> spin. Such a us
On Friday, August 30, 2019 12:35:34 PM MST mcatanz...@gnome.org wrote:
> On Wed, Aug 28, 2019 at 7:46 PM, Christopher
> wrote:
>
> > Yeah, I also don't want a complicated installer. I just don't see this
> > disagreement going anywhere without some sort of compromise, and I
> > can't think of an
On Friday, August 30, 2019 4:33:11 AM MST Björn Persson wrote:
> John Harris wrote:
> > Thing is, binding a port and expecting it to be open to every network
> > interface you've got are two very different things.
>
> Once again John Harris is completely wrong. The bind system call is
> precisely
On Wed, Aug 28, 2019 at 7:46 PM, Christopher
wrote:
Yeah, I also don't want a complicated installer. I just don't see this
disagreement going anywhere without some sort of compromise, and I
can't think of any others that will satisfy people. I think there's a
good chance this could be implemente
On Wed, Aug 28, 2019 at 5:33 AM, Jiri Eischmann
wrote:
And the same document says:
"While our focus is on creating a top-class developer workstation, our
developer focus will not compromise the aforementioned goal to be a
polished and user friendly system that appeals to a wide general
audience.
On Thu, Aug 29, 2019 at 06:54:48PM -0700, John Harris wrote:
> Workstation is only the primary product because somebody decided GNOME was
> the best default. This should be reconsidered, so that the various Spins,
This is backwards. We (the Fedora Board) at the time, asked for a team to
develop ou
> On Aug 29, 2019, at 9:41 PM, John Harris wrote:
>
>> On Thursday, August 29, 2019 8:12:22 AM MST Dan Book wrote:
>> I would agree, but people do install multiple desktops after installing a
>> spin. Such a use case needs to be considered (not sure if it matters,
>> though).
>
> This is defin
John Harris wrote:
> Thing is, binding a port and expecting it to be open to every network
> interface you've got are two very different things.
Once again John Harris is completely wrong. The bind system call is
precisely how a program specifies which network interfaces it wants to
open a socket
On Thursday, August 29, 2019 3:50:19 AM MST Iñaki Ucar wrote:
> Responding to the first message because I'm not interested in further
> discussion. It's clear to me that there will be no agreement in this
> matter unless there are reasonable potential alternatives. Therefore,
> this message is just
On Thursday, August 29, 2019 1:11:02 PM MST Chris Murphy wrote:
> On Thu, Aug 29, 2019 at 12:24 AM Chris Murphy
> wrote:
> >
> >
> > Debian has a permissive firewall
> > https://wiki.debian.org/DebianFirewall
>
>
> And Ubuntu, Mint, elementary, MX Linux, Solus, pop!_OS, as well. By
> permissive,
On Thursday, August 29, 2019 8:34:09 AM MST Christophe de Dinechin wrote:
> mcatanz...@gnome.org writes:
>
>
> > Well the thing is, blocknig ports tends to break applications that want
> > to use those ports. We're not going to do that, period. It also doesn't
> > really accomplish anything: eith
On Thursday, August 29, 2019 5:29:32 PM MST Christopher wrote:
> Workstation is the primary product. Some choose that not for GNOME...
> but because they want to start with the most base product and
> customize from there. If you start with a Spin, you may get something
> pre-configured in a very w
On Thursday, August 29, 2019 11:17:11 AM MST Japheth Cleaver wrote:
> On 8/29/2019 8:10 AM, Adam Williamson wrote:
>
> > On Wed, 2019-08-28 at 23:13 -0400, Christopher wrote:
> >
> >> On Wed, Aug 28, 2019 at 8:56 PM John Harris
> >> wrote:
> >>
> >>> It might be okay to be a GNOME-specific thin
On Thursday, August 29, 2019 8:12:22 AM MST Dan Book wrote:
> I would agree, but people do install multiple desktops after installing a
> spin. Such a use case needs to be considered (not sure if it matters,
> though).
This is definitely not the ideal scenario, especially not from the case of the
On Thu, Aug 29, 2019 at 2:18 PM Japheth Cleaver wrote:
>
> On 8/29/2019 8:10 AM, Adam Williamson wrote:
> > On Wed, 2019-08-28 at 23:13 -0400, Christopher wrote:
> >> On Wed, Aug 28, 2019 at 8:56 PM John Harris wrote:
> >>> It might be okay to be a GNOME-specific thing, as that's the only spin of
On Thu, Aug 29, 2019 at 4:12 PM Chris Murphy wrote:
>
> On Thu, Aug 29, 2019 at 12:24 AM Chris Murphy wrote:
> >
> > Debian has a permissive firewall
> > https://wiki.debian.org/DebianFirewall
>
> And Ubuntu, Mint, elementary, MX Linux, Solus, pop!_OS, as well. By
> permissive, they all accept ev
On Thu, Aug 29, 2019 at 12:24 AM Chris Murphy wrote:
>
> Debian has a permissive firewall
> https://wiki.debian.org/DebianFirewall
And Ubuntu, Mint, elementary, MX Linux, Solus, pop!_OS, as well. By
permissive, they all accept everything. Nothing is rejected or
dropped.
Mageia, and openSUSE do h
On 8/29/2019 8:10 AM, Adam Williamson wrote:
On Wed, 2019-08-28 at 23:13 -0400, Christopher wrote:
On Wed, Aug 28, 2019 at 8:56 PM John Harris wrote:
It might be okay to be a GNOME-specific thing, as that's the only spin of
Fedora which is affected by this decision.
The default firewall conf
mcatanz...@gnome.org writes:
> Well the thing is, blocknig ports tends to break applications that want
> to use those ports. We're not going to do that, period. It also doesn't
> really accomplish anything: either your app or service needs network
> access and you have whitelisted it (in which ca
On Thu, Aug 29, 2019 at 11:11 AM Adam Williamson
wrote:
> On Wed, 2019-08-28 at 23:13 -0400, Christopher wrote:
> > On Wed, Aug 28, 2019 at 8:56 PM John Harris
> wrote:
> > > On Wednesday, August 28, 2019 5:46:58 PM MST Christopher wrote:
> > > > A similar idea that would keep it separate from t
On Wed, 2019-08-28 at 23:13 -0400, Christopher wrote:
> On Wed, Aug 28, 2019 at 8:56 PM John Harris wrote:
> > On Wednesday, August 28, 2019 5:46:58 PM MST Christopher wrote:
> > > A similar idea that would keep it separate from the installer might be
> > > to offer a dialogue as a "first-boot" ac
Responding to the first message because I'm not interested in further
discussion. It's clear to me that there will be no agreement in this
matter unless there are reasonable potential alternatives. Therefore,
this message is just to let you all know that I'm at least trying to
push for better alter
Debian has a permissive firewall
https://wiki.debian.org/DebianFirewall
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-
On Wednesday, August 28, 2019 10:31:54 PM MST Christopher wrote:
> We're getting off-topic, but really quickly: Yes, you can select
> advanced packaging (at least you could in the past... probably still
> can). You can also use kickstart to automate installs with custom
> package installations and
On Thu, Aug 29, 2019 at 1:08 AM John Harris wrote:
>
> On Wednesday, August 28, 2019 10:00:35 PM MST Christopher wrote:
> > No, the default firewalld zone affects all Fedora Workstation users,
> > because firewalld runs outside of GNOME. Just because a user uses the
> > Workstation Edition doesn't
On Wednesday, August 28, 2019 10:00:35 PM MST Christopher wrote:
> No, the default firewalld zone affects all Fedora Workstation users,
> because firewalld runs outside of GNOME. Just because a user uses the
> Workstation Edition doesn't mean they're running GNOME... you can
> still run Cinnamon, X
On Wed, Aug 28, 2019 at 11:23 PM John Harris wrote:
>
> On Wednesday, August 28, 2019 8:13:59 PM MST Christopher wrote:
> > The default firewall config affects every user of that edition, even
> > if they never use GNOME (or even use graphical boot). So, I don't know
> > if this would be adequate.
On Wednesday, August 28, 2019 8:13:59 PM MST Christopher wrote:
> The default firewall config affects every user of that edition, even
> if they never use GNOME (or even use graphical boot). So, I don't know
> if this would be adequate.
This only affects GNOME users. Workstation = GNOME Spin.
Unl
On Wed, Aug 28, 2019 at 8:56 PM John Harris wrote:
>
> On Wednesday, August 28, 2019 5:46:58 PM MST Christopher wrote:
> > A similar idea that would keep it separate from the installer might be
> > to offer a dialogue as a "first-boot" action, but that seems like it'd
> > be a very GNOME-specific
On Wed, Aug 28, 2019, at 8:59 PM, John Harris wrote:
> On Wednesday, August 28, 2019 1:35:32 PM MST Colin Walters wrote:
> > FWIW,
> >
> > For Fedora CoreOS we don't enable a firewall by default; see
> > https://github.com/coreos/fedora-coreos-tracker/issues/26
> >
> > (Neither for that matter do
On Wednesday, August 28, 2019 1:35:32 PM MST Colin Walters wrote:
> FWIW,
>
> For Fedora CoreOS we don't enable a firewall by default; see
> https://github.com/coreos/fedora-coreos-tracker/issues/26
>
> (Neither for that matter does Fedora Cloud:
> https://pagure.io/fedora-kickstarts/blob/master
On Wednesday, August 28, 2019 5:46:58 PM MST Christopher wrote:
> A similar idea that would keep it separate from the installer might be
> to offer a dialogue as a "first-boot" action, but that seems like it'd
> be a very GNOME-specific thing, and firewalld is not specific to the
> WM/Desktop.
It
On Wednesday, August 28, 2019 3:50:49 PM MST Chris Murphy wrote:
> A somewhat related feature that was rejected by FESCo
> https://fedoraproject.org/wiki/Changes/SecurityPolicyInTheInstaller
> https://lists.fedoraproject.org/pipermail/devel/2014-March/19.html
Security policies aren't related t
On Wed, Aug 28, 2019 at 6:52 PM Chris Murphy wrote:
>
> On Wed, Aug 28, 2019 at 12:57 PM Christopher
> wrote:
> >
> > At the very least, it'd be nice if anaconda had an option to select
> > the default firewalld zone during installation,
>
> A somewhat related feature that was rejected by FESCo
On Wednesday, August 28, 2019 12:59:17 PM MST Christopher wrote:
> Yeah, obviously that would be bad. Please don't simply dismiss a
> serious suggestion, because it would be bad in other scenarios or if
> taken to the extreme. This is one specific suggestion, not a proposal
> to accept all similar
On Wednesday, August 28, 2019 10:00:03 AM MST Chris Murphy wrote:
> This is hyperbole, and turning up the volume isn't going to make
> anyone go "oh, ok, now I see your point, it's hostile and we don't
> want to do that, let's change it" as if literally everyone reading
> this is some kind of moron
On Wednesday, August 28, 2019 9:05:00 AM MST Tony Nelson wrote:
> Properly packaged Fedora software uses either the D-Bus interface
> at runtime or firewall-cmd in a scriptlet at install time to open any
> needed ports
This is not actually the case. No software, to my knowledge, makes the
assumpt
On Wed, Aug 28, 2019 at 12:57 PM Christopher wrote:
>
> At the very least, it'd be nice if anaconda had an option to select
> the default firewalld zone during installation,
A somewhat related feature that was rejected by FESCo
https://fedoraproject.org/wiki/Changes/SecurityPolicyInTheInstaller
h
FWIW,
For Fedora CoreOS we don't enable a firewall by default; see
https://github.com/coreos/fedora-coreos-tracker/issues/26
(Neither for that matter does Fedora Cloud:
https://pagure.io/fedora-kickstarts/blob/master/f/fedora-cloud-base.ks#_36 )
___
de
On Wed, Aug 28, 2019 at 4:27 PM Adam Williamson
wrote:
> That is talking about the whole idea that having a firewall enabled by
> default is not as important if there are no listening services by
> default; at that point you can make the argument that installing a
> service that listens on a port
On Wed, 2019-08-28 at 22:32 +0300, mcatanz...@gnome.org wrote:
> On Wed, Aug 28, 2019 at 9:56 PM, Christopher
> wrote:
> > 2) the Workstation WG has not only taken no action in response to the
> > FESCo statement of trust at the conclusion of our last lengthy
> > discussion on this matter, it has
On Wed, Aug 28, 2019 at 3:33 PM wrote:
>
> On Wed, Aug 28, 2019 at 9:56 PM, Christopher
> wrote:
>
> 2) the Workstation WG has not only taken no action in response to the FESCo
> statement of trust at the conclusion of our last lengthy discussion on this
> matter, it has been explicitly stated
On Wed, Aug 28, 2019 at 9:56 PM, Christopher
wrote:
2) the Workstation WG has not only taken no action in response to the
FESCo statement of trust at the conclusion of our last lengthy
discussion on this matter, it has been explicitly stated in this
thread that they have never had any intention
On Wed, Aug 28, 2019 at 1:01 PM Chris Murphy wrote:
>
> On Wed, Aug 28, 2019 at 9:36 AM John Harris wrote:
>
> > Essentially disabling the firewall falls under having a "bad design for
> > everyone else". Disabling the firewall is something that could be considered
> > hostile to the user.
>
> Th
On Wed, Aug 28, 2019 at 9:36 AM John Harris wrote:
> Essentially disabling the firewall falls under having a "bad design for
> everyone else". Disabling the firewall is something that could be considered
> hostile to the user.
This is hyperbole, and turning up the volume isn't going to make
anyo
On 19-08-28 01:03:51, Chris Murphy wrote:
On Tue, Aug 27, 2019 at 10:26 PM Christopher
wrote:
>
> On Tue, Aug 27, 2019 at 9:27 PM Chris Murphy
wrote:
>
> > The Workstation technical specification document says in part:
>
> Where is the full technical specification document, so one can read
On Wednesday, August 28, 2019 2:45:37 AM MST Björn Persson wrote:
> If an attacker guesses your passphrase, then it's your weak passphrase
> that allows them to break in.
No. Having it wide open to the network means it can be broken, even through
brute force if necessary.
> (That said, I'd be in
On Wednesday, August 28, 2019 3:33:48 AM MST Jiri Eischmann wrote:
> Adam Williamson píše v Út 27. 08. 2019 v 16:01 -0700:
>
> > On Tue, 2019-08-27 at 15:06 +0200, Jiri Eischmann wrote:
> >
> > > mcatanz...@gnome.org píše v Út 27. 08. 2019 v 15:07 +0300:
> > >
> > > > On Tue, Aug 27, 2019 at 4:2
Adam Williamson píše v Út 27. 08. 2019 v 16:01 -0700:
> On Tue, 2019-08-27 at 15:06 +0200, Jiri Eischmann wrote:
> > mcatanz...@gnome.org píše v Út 27. 08. 2019 v 15:07 +0300:
> > > On Tue, Aug 27, 2019 at 4:22 AM, John Harris <
> > > joh...@splentity.com>
> > > wrote:
> > > > No, that is not how t
John Harris wrote:
> Consider this. Our default ssh config, under your firewall config, would
> allow
> any system on any network your system is connected to to break in.
Only if you have chosen a worthless passphrase. Fedora's default SSHD
configuration – on those spins where SSHD is actually i
On Tuesday, August 27, 2019 10:03:51 PM MST Chris Murphy wrote:
> https://fedoraproject.org/wiki/Workstation/Technical_Specification
>
> The discussion and decision to not include firewall-config (GUI
> configuration application for firewalld) by default, five years ago
> https://lists.fedoraproje
On Tue, 2019-08-27 at 17:11 -0700, John Harris wrote:
> Workstation ships with sshd enabled by default, unless something has changed.
It doesn't. This was definitely a conscious decision related to the
firewall policy. See
/usr/lib/systemd/system-preset/80-workstation.preset , where sshd is
explic
On Tue, Aug 27, 2019 at 10:26 PM Christopher wrote:
>
> On Tue, Aug 27, 2019 at 9:27 PM Chris Murphy wrote:
>
> > The Workstation technical specification document says in part:
>
> Where is the full technical specification document, so one can read it
> not in part, but in full?
https://fedorapr
On Tue, Aug 27, 2019 at 9:27 PM Chris Murphy wrote:
>
> On Tue, Aug 27, 2019 at 6:23 PM John Harris wrote:
> >
> > sshd was enabled by default back in F23, unless my install was completely
> > broken. I wouldn't remember that well, unfortunately, as I've been running
> > KDE
> > since the end of
On 19-08-27 19:58:15, Chris Murphy wrote:
...
I definitely do not want to pester developers, or make their day to
day life difficult. If there's no satisfactory GUI right now to manage
it, it's difficult to even experiment with different policies. The
original firewalld proposal considered the g
On Tue, Aug 27, 2019 at 6:23 PM John Harris wrote:
>
> sshd was enabled by default back in F23, unless my install was completely
> broken. I wouldn't remember that well, unfortunately, as I've been running KDE
> since the end of the F24 release cycle.
I don't think so.
* Fri Mar 13 2015 Dennis Gi
On Tuesday, August 27, 2019 5:15:52 PM MST Chris Murphy wrote:
> > > That actually isn't clear at all. And I am the end user and sysadmin.
> > > I'm at home, I have my own AP, but none of the equipment is under my
> > > direct control, it's centrally managed by a company I don't even pay.
> > > So,
On Tuesday, August 27, 2019 4:58:15 PM MST Chris Murphy wrote:
> On Tue, Aug 27, 2019 at 5:02 PM Adam Williamson
> wrote:
>
> >
> >
> > However, Fedora Workstation is an edition. Which means it has a
> > *policy-defined* target audience. That target audience is defined here:
> > https://fedorapro
> > That actually isn't clear at all. And I am the end user and sysadmin.
> > I'm at home, I have my own AP, but none of the equipment is under my
> > direct control, it's centrally managed by a company I don't even pay.
> > So, is it trustworthy? Maybe. Maybe not. I have no practical way of
> > kn
On Tuesday, August 27, 2019 4:49:03 PM MST Japheth Cleaver wrote:
> On 8/27/2019 4:01 PM, Adam Williamson wrote:
>
> > On Tue, 2019-08-27 at 15:06 +0200, Jiri Eischmann wrote:
> >
> >> mcatanz...@gnome.org píše v Út 27. 08. 2019 v 15:07 +0300:
> >>
> >>> On Tue, Aug 27, 2019 at 4:22 AM, John Har
On Tuesday, August 27, 2019 5:05:57 PM MST Chris Murphy wrote:
> On Tue, Aug 27, 2019 at 5:24 PM John Harris wrote:
>
> >
> >
> > On Tuesday, August 27, 2019 8:23:01 AM MST Chris Murphy wrote:
>
>
>
> > > Windows is enable by default with two "zones" or "policies" (I can't
> > > even tell from
On Tue, Aug 27, 2019 at 5:30 PM John Harris wrote:
>
> On Tuesday, August 27, 2019 8:23:01 AM MST Chris Murphy wrote:
> > The firewall on macOS is disabled by default. Therefore I can't agree
> > with any assessment that Fedora Workstation is, on this point alone,
> > in some sort of vulnerable st
On Tue, Aug 27, 2019 at 5:24 PM John Harris wrote:
>
> On Tuesday, August 27, 2019 8:23:01 AM MST Chris Murphy wrote:
> > Windows is enable by default with two "zones" or "policies" (I can't
> > even tell from their own UI what to call this), one for private
> > networks, and another for guest/pu
On Tue, Aug 27, 2019 at 5:02 PM Adam Williamson
wrote:
>
> However, Fedora Workstation is an edition. Which means it has a
> *policy-defined* target audience. That target audience is defined here:
> https://fedoraproject.org/wiki/Workstation/Workstation_PRD#Target_Audience
>
> Case 1: "Engineering
On 8/27/2019 4:01 PM, Adam Williamson wrote:
On Tue, 2019-08-27 at 15:06 +0200, Jiri Eischmann wrote:
mcatanz...@gnome.org píše v Út 27. 08. 2019 v 15:07 +0300:
On Tue, Aug 27, 2019 at 4:22 AM, John Harris
wrote:
No, that is not how this works, at all. First, let's go ahead and
address the
id
MacOS has firewall disabled by default on every iteration.
Luya
On 2019-08-27 4:23 p.m., John Harris wrote:
> On Tuesday, August 27, 2019 8:23:01 AM MST Chris Murphy wrote: >> On Tue, Aug
> 27, 2019 at 6:22 AM Neal Gompa
wrote: >> >>> >>> >>> The other major non-Linux operating systems do.
Both
On Tuesday, August 27, 2019 8:23:01 AM MST Chris Murphy wrote:
> The firewall on macOS is disabled by default. Therefore I can't agree
> with any assessment that Fedora Workstation is, on this point alone,
> in some sort of vulnerable state outside that of macOS.
Talked to a coworker, who is a hea
On Tuesday, August 27, 2019 8:23:01 AM MST Chris Murphy wrote:
> On Tue, Aug 27, 2019 at 6:22 AM Neal Gompa wrote:
>
> >
> >
> > The other major non-Linux operating systems do. Both Microsoft Windows
> > and Apple macOS ship with active firewalls by default.
>
>
> The firewall on macOS is disab
On Tuesday, August 27, 2019 8:04:46 AM MST Louis Lagendijk wrote:
> On Tue, 2019-08-27 at 10:14 -0400, Robert Marcano wrote:
>
> > On 8/27/19 10:03 AM, John Harris wrote:
> >
> > >
> >
> > Any new Wifi connection could be identified by their SSID, so it
> > could
> > still be secure by default
On Tuesday, August 27, 2019 9:59:23 AM MST David Kaufmann wrote:
> I'm not trying to recommend it, this is already done, e.g. for mdns,
> samba-client, or ssh. (To be fair that happens on os install, not
> necessarily on package install)
> I'm trying to list the problems with those options.
There
On Tuesday, August 27, 2019 10:09:12 AM MST Stephen John Smoogen wrote:
> On Tue, 27 Aug 2019 at 13:01, Vitaly Zaitsev via devel
> wrote:
>
> >
> >
> > On 27.08.2019 18:14, Björn Persson wrote:
> >
> > > If it could come from anywhere, then we must assume that it's
> > > malicious.
> > > You exe
I'm not sure why this isn't clear, but the examples that I provided are far
from the only aspects, and I notice you're only addressing the ones that
require the user to manually run something.
Consider this. Our default ssh config, under your firewall config, would allow
any system on any netwo
On Tue, 2019-08-27 at 15:06 +0200, Jiri Eischmann wrote:
> mcatanz...@gnome.org píše v Út 27. 08. 2019 v 15:07 +0300:
> > On Tue, Aug 27, 2019 at 4:22 AM, John Harris
> > wrote:
> > > No, that is not how this works, at all. First, let's go ahead and
> > > address the
> > > idea that "if the firew
On Tue, Aug 27, 2019 at 4:54 PM John Harris wrote:
>
> On Tuesday, August 27, 2019 9:14:10 AM MST Björn Persson wrote:
> > John Harris wrote:
> > >On Tuesday, August 27, 2019 5:36:20 AM MST Björn Persson wrote:
> > >> Please elaborate. Where does the script come from, what exactly happens
> > >> b
On Tuesday, August 27, 2019 9:14:10 AM MST Björn Persson wrote:
> John Harris wrote:
> >On Tuesday, August 27, 2019 5:36:20 AM MST Björn Persson wrote:
> >> Please elaborate. Where does the script come from, what exactly happens
> >> by accident, and how would a packet filter stop it?
> >
> >It cou
On Tue, 27 Aug 2019 at 13:01, Vitaly Zaitsev via devel
wrote:
>
> On 27.08.2019 18:14, Björn Persson wrote:
> > If it could come from anywhere, then we must assume that it's malicious.
> > You executed untrusted code. It's already past your firewall. Game over,
> > you're infected. You're closing
On 27.08.2019 18:14, Björn Persson wrote:
> If it could come from anywhere, then we must assume that it's malicious.
> You executed untrusted code. It's already past your firewall. Game over,
> you're infected. You're closing the stable door after the horse has
> bolted.
Any application can run ba
On Tue, Aug 27, 2019 at 06:58:06AM -0700, John Harris wrote:
> On Tuesday, August 27, 2019 4:37:24 AM MST David Kaufmann wrote:
>> Both option have their disadvantages - in the case of "maintainer opens
>> ports" the ports are open as soon as the package gets installed, and
>> software not run/inst
John Harris wrote:
>On Tuesday, August 27, 2019 5:36:20 AM MST Björn Persson wrote:
>> Please elaborate. Where does the script come from, what exactly happens
>> by accident, and how would a packet filter stop it?
>
>It could come from anywhere, that's not the point. A *firewall* would stop it
>
For this who can't change their default zone in firewall after installing
Fedora Workstation completely block all ports may result in worse things, like
completely turn off firewall, because they can't run their online video games
for example and some one always advised them to do this.
We reme
On Tue, Aug 27, 2019 at 6:22 AM Neal Gompa wrote:
>
> The other major non-Linux operating systems do. Both Microsoft Windows
> and Apple macOS ship with active firewalls by default.
The firewall on macOS is disabled by default. Therefore I can't agree
with any assessment that Fedora Workstation i
Iñaki Ucar píše v Út 27. 08. 2019 v 16:17 +0200:
> On Tue, 27 Aug 2019 at 14:20, wrote:
> > The main competitor of Fedora Workstation is Ubuntu. Ubuntu ships
> > without a firewall enabled and nobody considers this a critical
> > vulnerability. Now: why is that...?
>
> 1. Ubuntu Server ships with
On Tue, 2019-08-27 at 10:14 -0400, Robert Marcano wrote:
> On 8/27/19 10:03 AM, John Harris wrote:
> >
> Any new Wifi connection could be identified by their SSID, so it
> could
> still be secure by default and ask for that specific connection to
> be
> opened because you trust them. As I propos
On Tue, 27 Aug 2019 at 15:17, Iñaki Ucar wrote:
>
> Windows shows a pop-up.
To be fair, I've just checked and Windows 10 doesn't show a pop-up;
better than that: when you (enter the password and) hit "connect", it
asks there whether it's a private network and you want to share
resources, yes or n
On Tuesday, August 27, 2019 7:14:20 AM MST Robert Marcano wrote:
> On 8/27/19 10:03 AM, John Harris wrote:
>
> > On Tuesday, August 27, 2019 5:35:08 AM MST Robert Marcano wrote:
> >
> >> On 8/27/19 8:18 AM, mcatanz...@gnome.org wrote:
> >>
> >>
> >>
> >>> On Tue, Aug 27, 2019 at 2:37 PM, Iñaki Uc
On Tue, 27 Aug 2019 at 14:20, wrote:
>
> The main competitor of Fedora Workstation is Ubuntu. Ubuntu ships without a
> firewall enabled and nobody considers this a critical vulnerability. Now: why
> is that...?
1. Ubuntu Server ships without a firewall enabled. Do you think that's
a good policy
On 8/27/19 10:03 AM, John Harris wrote:
On Tuesday, August 27, 2019 5:35:08 AM MST Robert Marcano wrote:
On 8/27/19 8:18 AM, mcatanz...@gnome.org wrote:
On Tue, Aug 27, 2019 at 2:37 PM, Iñaki Ucar
wrote:
There's no need to write "a new style of firewall". It would be as
easy as asking the
On Tuesday, August 27, 2019 7:06:31 AM MST Ryan Walklin wrote:
> > > On Tue, Aug 27, 2019 at 4:22 AM, John Harris
>
>
>
> >
> > That port numbers are now "technical details" is fairly concerning, and I
> >
> > can't imagine why you think users shouldn't be able to configure their
> > firewal
> > On Tue, Aug 27, 2019 at 4:22 AM, John Harris
>
> That port numbers are now "technical details" is fairly concerning, and I
> can't imagine why you think users shouldn't be able to configure their
> firewall. You realize we have a GTK firewall configuration program?
>
> Right now, the ave
On Tuesday, August 27, 2019 5:35:08 AM MST Robert Marcano wrote:
> On 8/27/19 8:18 AM, mcatanz...@gnome.org wrote:
>
> > On Tue, Aug 27, 2019 at 2:37 PM, Iñaki Ucar
> > wrote:
>
> >> There's no need to write "a new style of firewall". It would be as
> >> easy as asking the user once whether a n
1 - 100 of 164 matches
Mail list logo
